Bug 19295 - Provides bad crypt()-function
Provides bad crypt()-function
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: openssl (Show other bugs)
7.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-10-17 21:08 EDT by Enrico Scholz
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-10-18 08:16:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Enrico Scholz 2000-10-17 21:08:05 EDT
libcrypto.0.9.5a contains a crypt()  function providing only the simple DES
encrypting. But libcrypt.so (part of glibc) allows MD5 encryption
supporting larger passwords.

E.g. compiling
------- test.cc ------
#define _XOPEN_SOURCE
#include <unistd.h>
#include <iostream>

int main() {
        std::cout << crypt("ABC", "$1$abcdef$") << std::endl;
}
-------

both with -lcrypt and -lcrypto is giving different output:

# g++ /tmp/crypt.cc -lcrypt && ./a.out 
$1$abcdef$huJsPyysqd.RqgtSA1ccS.

# g++ /tmp/crypt.cc -lcrypto && ./a.out 
$1EA5T9lIorRY



So you can loss the capability to use large passwd's if OpenSSL is linked
to the program (I have seen it with cvs-1.11).

Reason seems to lie in crypto/des/fcrypt.c where crypt() is nested in a
complicated #if-#else clause. Perhaps it's fixed in OpenSSL-0.9.6 but I
have no opportunity to test it now.
Comment 1 Nalin Dahyabhai 2000-10-24 16:28:49 EDT
This will be fixed in openssl-0.9.5a-19 in Raw Hide.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.